b'             August 6, 2003\n\n             MEMORANDUM\n\n             FOR:          M/IRM, John M. Streufert\n\n             FROM:         IG/A/ITSA, Melinda G. Dempsey /s/\n\n             SUBJECT:      Risk Assessment of USAID/Washington\xe2\x80\x99s Management of\n                           Telephone Services\n                           (Report No. A-000-03-002-S)\n\n             This memorandum is our report on the subject risk assessment. Although\n             this is not an audit report, it does contain several suggestions for your\n             consideration. We have reviewed your comments and they are included as\n             Appendix II.\n\n             For your information, and as a follow-up to this risk assessment, on\n             November 30, 2003 we will request a list of accomplishments and\n             procedures or programs implemented and/or planned that directly relate to\n             our suggestions.\n\n             I appreciate the cooperation and courtesy extended to my staff during the\n             risk assessment.\n\nBackground   The Telecommunications and Computer Operations Division of the Office\n             of Information Resources Management, Bureau for Management\n             (M/IRM/TCO), manages telephone services as well as information\n             technology activities for USAID/Washington.\n\n             Prior to USAID\xe2\x80\x99s move into the Ronald Reagan Building in 1997, most of\n             USAID\xe2\x80\x99s telephone services were provided by the Department of State.\n             Thus, to the extent that USAID\xe2\x80\x99s need for telephone services was already\n             provided, the Agency did not have flexibility in procuring or improving\n             such services. According to data provided by the Telecommunications\n             and Computer Operations Division, the cost of telephone services from\n             1990 to 1996 was high\xe2\x80\x94$4\xc2\xbd to $6\xc2\xbd million per year\xe2\x80\x94despite cost\n\n\n\n                                                                                         1\n\x0ccontrol measures implemented by the Division. After the move to the\nRonald Reagan Building, USAID was able to institute its own\nmanagement of most of its telephone services. USAID\xe2\x80\x99s current budget\nfor telephone services runs about $2.7 million per year.\n\nThe Telecommunications and Computer Operations Division manages\neight major telephone services for USAID/Washington as follows:\n\n\xe2\x80\xa2   Calling cards\n\xe2\x80\xa2   Cell phones\n\xe2\x80\xa2   Facsimile machines\n\xe2\x80\xa2   Local service\n\xe2\x80\xa2   Long distance service\n\xe2\x80\xa2   Network infrastructure (PBX)\n\xe2\x80\xa2   Pagers\n\xe2\x80\xa2   Telephone directory\n\nUSAID manages its telephone services through several contracted\nsuppliers, including Sprint, Verizon, Avaya, AT&T, Nextel, and MCI.\nUnderlying the number of services provided and the number of contracted\nsuppliers is a constantly changing technology in the telecommunications\nindustry. This changing technology has significantly impacted the\navailability and use of diverse telephone products and services for\nUSAID/Washington. It has also added to the complexity of managing\ntelephone communication services.\n\nDuring the past decade, the Office of Inspector General has performed no\naudits of the management of telephone services by the Office of\nInformation Resources Management, nor have there been any related\nexternal reviews or evaluations by other organizations. Given the lack of\nexternal independent reviews, including audits, we performed risk\nassessments, especially in regard to economy and efficiency, of the major\ntelephone services of the Telecommunications and Computer Operations\nDivision of the Office of Information Resources Management.\n\nThe General Accounting Office\xe2\x80\x99s (GAO) \xe2\x80\x9cStandards for Internal Control\nin the Federal Government\xe2\x80\x9d (November 1999) notes that internal controls\nshould provide reasonable assurance that agency objectives are being\nachieved, operations are effective and efficient, and assets are safeguarded\nagainst loss. Internal controls consist of the following five interrelated\ncomponents. These components are the minimum level for internal\ncontrol and provide the basis against which internal control is to be\nevaluated.\n\n\n\n\n                                                                               2\n\x0c1. Management and employees should establish and maintain a control\n   environment throughout the agency, one which sets a positive and\n   supportive attitude toward internal control and conscientious\n   management.\n\n2. Internal control should provide for a risk assessment of the risks the\n   agency faces from both external and internal sources.\n\n3. Internal control activities should be effective and efficient in\n   accomplishing the agency\xe2\x80\x99s control objectives and help ensure that\n   management\xe2\x80\x99s directives are carried out.\n\n4. Information should be recorded and communicated to management\n   and others within the agency who need it and in a form and within a\n   time frame that enables them to carry out their internal control and\n   other responsibilities.\n\n5. Internal control monitoring should assess the quality of performance\n   over time and ensure that the findings of audits and other reviews are\n   promptly resolved.\n\nThis review focused on the second component\xe2\x80\x94risk assessment. The\nGAO Standards note that the specific risk analysis methodology used can\nvary because of differences in agencies\xe2\x80\x99 missions and the difficulty in\nqualitatively and quantitatively assigning risk levels. This review assigned\na risk exposure of high, moderate, or low for each major telephone\nservice. A higher risk exposure simply indicates that the particular service\nis more vulnerable to its program objectives not being achieved or to\nirregularities occurring as it primarily affects economy and efficiency.\nAppendix I describes in detail our risk assessment scope and\nmethodology.\n\n\n\n\n                                                                               3\n\x0cDiscussion   The Telecommunications and Computer Operations Division of the Office\n             of Information Resources Management, Bureau for Management\n             (M/IRM/TCO), is responsible for the following eight major telephone\n             services.1 Our assessments of the risk exposure for each of these major\n             services, along with the factors used in rating those risks, are described\n             below.\n\n               Telephone Service                                   Risk Exposure\n               Calling cards                                       Low\n               Risk Assessment Factors\n               Costs\n               \xe2\x80\xa2 Although costs per minute are substantially higher than desk phone\n                  calls, total annual cost runs only about $7,000 and consists only of\n                  the cost of user minutes.\n               Costs Transparency\n               \xe2\x80\xa2 Detailed monthly cost data is available on a monthly basis.\n               Inherent Complexity\n               \xe2\x80\xa2 No technical expertise is required for managing the approximately\n                  300 cards issued and the total annual calls of only about 4,000.\n               Internal Controls\n               \xe2\x80\xa2 There is no accurate up-to-date inventory of issued and active cards\n                  because information on cancelled and returned cards is only\n                  irregularly purged from the active file.\n               \xe2\x80\xa2 Standard internal authorization forms are used for the issuance of\n                  cards, but there are no written procedures for administration of this\n                  program, whether for card requisitioning, billing reviews, inventory\n                  maintenance, etc.\n               \xe2\x80\xa2 Cards received from the vendor, but not yet issued to individual\n                  employees, are not kept under lock and key.\n               \xe2\x80\xa2 There is no mechanism in place to ensure the return and cancellation\n                  of cards possessed by employees being reassigned overseas (calling\n                  cards are for USAID/Washington-based employees only).\n               \xe2\x80\xa2 Although detailed call data is received monthly, they are not\n                  forwarded to users for certification as required. Instead, billing\n                  reviews are essentially of the monthly total to determine if the\n                  amount is reasonable based on historically billed amounts.\n\n\n\n             1\n               Our risk assessments only covered major telephone services managed and under the\n             control of the Telecommunications and Computer Operations (TCO) Division. In\n             addition to the major services described in this report, TCO is also responsible for\n             managing information technology activities, including local area networks, electronic\n             mail services, internet connectivity, and wide area network security.\n\n                                                                                                     4\n\x0cTelephone Service                                   Risk Exposure\nCalling cards                                       Low\nRisk Assessment Factors\n\xe2\x80\xa2 Over the years, there have been a number of cases of abuse\n   involving the use of calling cards, costing USAID several thousand\n   dollars. However, the vendor now monitors usage for what it\n   believes could be abusive activity and advises TCO for disposition.\nMonitoring\n\xe2\x80\xa2 There are no particular monitoring or reporting procedures involved\n   with the administration of the calling card program.\nPlanning\n\xe2\x80\xa2 There are no particular planning processes.\nPrior Reviews\n\xe2\x80\xa2 No independent reviews have been performed.\n\n\nTelephone Service                                 Risk Exposure\nCell phones                                       Moderate\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 For the phones that the TCO office is responsible for administering,\n   about $100,000 annually is spent to cover the cost of phones,\n   accessories, maintenance, and use charges. Because the demand for\n   cell phones is perceived to be on the rise, this expenditure is\n   expected to increase.\n\xe2\x80\xa2 Phones purchased start at about $75 each, but most recent purchases\n   are costing about $300, which includes a standard package of\n   accessories.\nCosts Transparency\n\xe2\x80\xa2 Management is mainly concerned with overall costs associated with\n   cell phones. Unit cost, particularly per minute, is not used as a\n   management tool in administering the program, and overall cost per\n   minute is not readily available.\n\xe2\x80\xa2 Costs are not readily identifiable because they are not segregated\n   within \xe2\x80\x98umbrella\xe2\x80\x99 budget codes. Furthermore, other USAID\n   Washington offices directly procure cell phones. These costs are\n   unknown.\nInherent Complexity\n\xe2\x80\xa2 Cell phone technology, with increased capabilities and available\n   features, is rapidly changing. Along with changes in the technology,\n   ever-changing user plans are being offered.\n\xe2\x80\xa2 Currently, there are 150 phones, and the average monthly use of\n   each is between 200 and 300 minutes.\n\n\n\n                                                                          5\n\x0cTelephone Service                                   Risk Exposure\nCell phones                                         Moderate\nRisk Assessment Factors\nInternal Controls\n\xe2\x80\xa2 Except for brief guidelines contained in the Automated Directives\n   System, there are no documented internal control procedures.\n\xe2\x80\xa2 Billing reviews include determining that the cell phone numbers\n   billed are numbers contained in inventory and searching for\n   unusually high charges to a specific phone number. Such reviews\n   are not performed on a monthly or any set periodic basis. Whatever\n   reviews are performed are not documented, and certification of call\n   details is not required of cell phone users.\n\xe2\x80\xa2 Phones are purchased and issued merely on the basis of the approval\n   signature of the supervisor of an applicant/user. Otherwise, there is\n   no established rationale or criteria, including type of phone or user\n   plan.\nMonitoring\n\xe2\x80\xa2 There is no reporting to management of any kind specifically\n   devoted to cell phone matters.\nPlanning\n\xe2\x80\xa2 There are no specific or formal planning processes involved with\n   cell phones.\nPrior Reviews\n\xe2\x80\xa2 There have been no formal internal or external reviews of cell phone\n   administration.\n\xe2\x80\xa2 There have been some cases of misuse of the phones, which have\n   been turned over to respective administrative officers for\n   disposition.\n\n\nTelephone Service                                Risk Exposure\nFacsimile machines                               Low\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 The total annual cost of new or replacement machines runs between\n   $25,000 to $50,000. On average, about 25 machines are replaced\n   per year at a cost of $1,000 to $2,000 each.\nCosts Transparency\n\xe2\x80\xa2 Maintenance costs administered by another office not in our scope\n   runs about $3,000 annually.\n\xe2\x80\xa2 Other Washington offices procure fax machines, the costs of which\n   are unknown.\nInherent Complexity\n\xe2\x80\xa2 Service and operation are not technically complex.\n\n\n                                                                           6\n\x0cTelephone Service                                   Risk Exposure\nFacsimile machines                                  Low\nRisk Assessment Factors\n\xe2\x80\xa2 The TCO Telephone Office is responsible for administering about\n   150 machines in the inventory.\nInternal Controls\n\xe2\x80\xa2 There are no documented internal control procedures for the\n   administration of the program.\n\xe2\x80\xa2 Discrepancies were noted in the inventory records, in such\n   categories as quantity on hand, manufacturer, and location.\n\xe2\x80\xa2 If a machine repair is estimated to be the arbitrary amount of $500 or\n   more, a replacement is ordered. There are no purchase or issuance\n   criteria otherwise.\n\xe2\x80\xa2 There is no effective control over repairs and servicing because no\n   repair history by machine is maintained.\nMonitoring\n\xe2\x80\xa2 There is no reporting to management of any kind specifically\n   devoted to fax machine matters.\nPlanning\n\xe2\x80\xa2 There are no specific or formal planning processes involved with fax\n   machines.\nPrior Reviews\n\xe2\x80\xa2 There have been no formal internal or external reviews of fax\n   machine administration.\n\n\nTelephone Service                                 Risk Exposure\nLocal service                                     High\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 Calendar years 2002 and 2003 costs were budgeted at $870,000 and\n   $800,000, respectively, consisting primarily of fixed lease charges\n   for several dedicated (trunk) lines and per-call/minute use charges\n   with Verizon.\nCosts Transparency\n\xe2\x80\xa2 Costs are not precisely known because local call costs are not totally\n   segregated from long distance costs for each vendor.\n\xe2\x80\xa2 There is no assurance that contracted rates are always used for\n   billing USAID, and implementation schedules of rate changes are\n   not always known.\nInherent Complexity\n\xe2\x80\xa2 The management of this area requires a high level of technical\n   knowledge to ensure the economic handling of about 160,000 local\n   calls per month.\n\n\n                                                                           7\n\x0cTelephone Service                                  Risk Exposure\nLocal service                                      High\nRisk Assessment Factors\nInternal Controls\n\xe2\x80\xa2 Internal control procedures are generally not documented.\n\xe2\x80\xa2 TCO lacks sufficient tools, information, and resources to\n   comprehensively verify accuracy of contractor billings.\n\xe2\x80\xa2 No mechanism is in place to ensure that, as telephone exchanges are\n   added or changed by the local carrier, timely program changes are\n   made to the Private Branch Exchange (PBX) to route a given call\n   through the cheapest means.\n\xe2\x80\xa2 TCO lacks adequate staff back-up for the highest levels of technical\n   job skills.\nMonitoring\n\xe2\x80\xa2 Software monitoring tools were cumbersome and time consuming to\n   work with and, thus, their utility in analyzing complex traffic\n   patterns and capacity utilization of trunk lines has not been fully\n   reached.\n\xe2\x80\xa2 Detailed monitoring appears to be done ad hoc and without adequate\n   tools or resources.\n\xe2\x80\xa2 The capacity of the dedicated trunk lines appears to be well in excess\n   of actual traffic volume.\n\xe2\x80\xa2 Standard performance reporting to more senior management is not\n   required; rather, ad hoc issues are covered during regular, periodic\n   office meetings.\nPlanning\n\xe2\x80\xa2 There are no extraordinary technological investments envisioned,\n   nor are there any unique needs assessments or processes required.\nPrior Reviews\n\xe2\x80\xa2 No comprehensive reviews have been made for several years.\n\xe2\x80\xa2 Audits in other agencies resulted in significantly reduced costs.\n\n\nTelephone Service                               Risk Exposure\nLong distance service                           High\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 Calendar years 2002 and 2003 costs were budgeted at $843,000 and\n   $649,000, respectively, and consist primarily of per-call/minute\n   charges for domestic and international long distance calls routed\n   through Sprint and AT&T.\nCosts Transparency\n\xe2\x80\xa2 Total cost figures are not precisely known because some local costs\n   are included with long distance costs.\n\n\n                                                                           8\n\x0cTelephone Service                                      Risk Exposure\nLong distance service                                  High\nRisk Assessment Factors\n\xe2\x80\xa2 There was no assurance that contracted rates were always used for\n   billing USAID, nor did TCO always know the implementation\n   schedules of rate changes.\nInherent Complexity\n\xe2\x80\xa2 The management of this area requires a high level of technical\n   knowledge to ensure the economic and efficient handling of about\n   33,000 long distance calls per month routed through different pricing\n   alternatives.\nInternal Controls\n\xe2\x80\xa2 Except for abbreviated guidance contained in the Automated\n   Directives System, internal control procedures are not documented.\n\xe2\x80\xa2 TCO lacks sufficient human resources to verify the accuracy of\n   contractor billings; further, it is difficult to utilize software-\n   monitoring tools. Thus, reviews are used essentially for spotting\n   obvious problems and detecting trends, versus for verifying user\n   minutes at contracted rates.\n\xe2\x80\xa2 TCO lacks adequate staff back-up for the highest levels of technical\n   job skills.\nMonitoring\n\xe2\x80\xa2 Detailed monitoring appears to have been done ad hoc and without\n   adequate tools.\n\xe2\x80\xa2 There is no assurance that the Department of State\xe2\x80\x99s International\n   Voice Gateway (IVG) is used to the maximum extent possible. As\n   opposed to user charges by Sprint or AT&T, the IVG is a zero-cost\n   facility for placing international calls.\n\xe2\x80\xa2 There is no regular, periodic review and verification, as required by\n   regulations, that long distance calls are official, authorized calls.\n\xe2\x80\xa2 Standard performance reporting to more senior management is not\n   required; rather, ad hoc issues are covered during regular, periodic\n   office meetings.\nPlanning\n\xe2\x80\xa2 Planning is a continuous process of evaluating USAID\xe2\x80\x99s technical\n   options, then evaluating suppliers\xe2\x80\x99 rates and ability to deliver\n   USAID\xe2\x80\x99s service needs.\nPrior Reviews\n\xe2\x80\xa2 No comprehensive reviews have been made for several years.\n\xe2\x80\xa2 Audits in other agencies resulted in significantly reduced costs.\n\n\n\n\n                                                                           9\n\x0cTelephone Service                                  Risk Exposure\nNetwork infrastructure (PBX\xe2\x80\x94Private                Moderate\nBranch Exchange)\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 USAID assumed management of the PBX from the Department of\n   State in 1998. By doing so, TCO stated it has reduced operating\n   costs from about $2.5 million to less than $1 million per year.\n\xe2\x80\xa2 Calendar years 2002 and 2003 costs were budgeted at $850,000 and\n   $900,000, respectively, consisting primarily of maintenance,\n   miscellaneous equipment, and three full-time, on-site Avaya\n   technicians (at an annual cost of about $320,000).\n\xe2\x80\xa2 Future investment costs for replacing the existing PBX, up to\n   approximately 3,000 desktop telephones, and related network\n   equipment could be several million dollars.\nCosts Transparency\n\xe2\x80\xa2 Pricing information for maintenance, equipment, and service\n   technicians is readily available.\nInherent Complexity\n\xe2\x80\xa2 The physical configuration of the PBX and the wiring to support the\n   USAID/Washington\xe2\x80\x99s telephony operation in the Ronald Reagan\n   Building is highly complex.\n\xe2\x80\xa2 This area requires a high level of technical knowledge to ensure that\n   PBX services are provided in the most economic, efficient, and\n   timely manner over the several alternative telephone routings.\n\xe2\x80\xa2 A high level of technical expertise is required to oversee the Avaya\n   contract and technicians.\nInternal Controls\n\xe2\x80\xa2 Internal control procedures are generally not documented.\n\xe2\x80\xa2 Miscellaneous purchases of equipment, e.g., new or replacement\n   desk phones or special non-standard wiring jobs, are done under a\n   Blanket Purchase Agreement (BPA) with Avaya. By the very nature\n   of BPAs, scrutiny of purchases is minimal.\n\xe2\x80\xa2 Adequate staff back-up for the highest levels of technical job skills\n   is lacking. The work is mostly done by contract, and little risk exists\n   that essential work will not be performed when required.\nMonitoring\n\xe2\x80\xa2 The on-site (vendor-supplied) technicians monitor PBX operations,\n   perform services, and correct problems as they occur.\n\xe2\x80\xa2 In addition, off site, Avaya monitors the performance of critical PBX\n   components, e.g., routers and switches.\n\xe2\x80\xa2 There was nothing immediately available for use in the PBX room\n   for fire protection.\n\xe2\x80\xa2 A standard reporting (format) to more senior management is not\n\n\n                                                                             10\n\x0cTelephone Service                                    Risk Exposure\nNetwork infrastructure (PBX\xe2\x80\x94Private                  Moderate\nBranch Exchange)\nRisk Assessment Factors\n   required; rather, ad hoc issues are covered during regular, periodic\n   office meetings.\nPlanning\n\xe2\x80\xa2 To date, a formal needs assessment has not been performed, even\n   though an extraordinary investment may be required to replace the\n   PBX system and desk phones with new and evolving technology\n   over the next two to five years.\n\xe2\x80\xa2 Telephony operations, especially the PBX, are vulnerable to major\n   disruptions of service during a crisis situation.\nPrior Reviews\n\xe2\x80\xa2 A Disaster Recovery Analysis and Planning review was performed\n   by Avaya in October 2002, which served as a basis for detailed\n   recovery planning.\n\xe2\x80\xa2 Otherwise, no prior audits or reviews have been done in this area for\n   the last several years.\n\n\nTelephone Service                                    Risk Exposure\nPagers                                               Low\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 Pager leasing and service costs of about $25,000 annually are the\n   only costs incurred.\n\xe2\x80\xa2 The simplest pagers lease for about $40 per year, whereas special-\n   use pagers (e.g., for hearing impaired) lease for about $300 per year.\nCosts Transparency\n\xe2\x80\xa2 Costs involved are readily available and known.\nInherent Complexity\n\xe2\x80\xa2 There is nothing technically complex about the administration or use\n   of pagers.\n\xe2\x80\xa2 There are about 160 pagers under lease.\nInternal Controls\n\xe2\x80\xa2 There are no documented internal procedures for the administration\n   of the program.\n\xe2\x80\xa2 There presently is no requirement to validate pager assignments\xe2\x80\x94\n   validation by user organizations has not been done for at least four\n   years. TCO made a recent attempt to validate the assignments, but\n   no response had been received from the user organizations.\n\xe2\x80\xa2 Inventory records for in-use pagers are inaccurate because control\n   procedures are inadequate. Thus, contractor billings cannot be\n\n\n                                                                            11\n\x0cTelephone Service                                Risk Exposure\nPagers                                           Low\nRisk Assessment Factors\n   adequately verified for accuracy.\n\xe2\x80\xa2 Accountability for pagers by employees is not required.\n\xe2\x80\xa2 There are no established criteria or rationale for the issuance of\n   pagers.\nMonitoring\n\xe2\x80\xa2 There is no reporting to management of any kind specifically\n   devoted to pagers.\nPlanning\n\xe2\x80\xa2 There are no specific or formal planning processes involved with\n   pagers.\nPrior Reviews\n\xe2\x80\xa2 There have been no formal internal or external reviews of pager\n   program administration.\n\n\nTelephone Service                                  Risk Exposure\nTelephone directory                                Low\nRisk Assessment Factors\nCosts\n\xe2\x80\xa2 Costs are not specifically segregated for budgeting and expense\n   tracking purposes. They are believed to be relatively insignificant.\nCosts Transparency\n\xe2\x80\xa2 Costs are not known\xe2\x80\x94see above.\nInherent Complexity\n\xe2\x80\xa2 Programming of system changes requires technical expertise.\n\xe2\x80\xa2 Personnel changes, such as rotations and reassignments, require\n   multiple changes to unlinked, but interrelated, databases consisting\n   of about 12,000 records.\nInternal Controls\n\xe2\x80\xa2 The computer-based directory identifies how to make overseas\n   directory changes.\n\xe2\x80\xa2 A detailed \xe2\x80\x9chow to\xe2\x80\x9d procedure was written in December 2002.\nMonitoring\n\xe2\x80\xa2 Monitoring of the database accuracy is an Agency-wide\n   responsibility and appears to be generally done in a satisfactory\n   manner.\n\xe2\x80\xa2 A standard reporting (format) to more senior management is not\n   necessary; rather, ad hoc issues are covered during regular, periodic\n   office meetings.\nPlanning\n\xe2\x80\xa2 There are no specific planning processes, but requirements are\n\n\n                                                                           12\n\x0cTelephone Service                                Risk Exposure\nTelephone directory                              Low\nRisk Assessment Factors\n   considered in the normal course of work.\nPrior Reviews\n\xe2\x80\xa2 There have been no formal internal or external reviews of telephone\n   directory administration.\n\n\n\n\n                                                                        13\n\x0cConclusion   Our risk assessment of the Telecommunications and Computer Operations\n             Division of the Office of Information Resources Management, Bureau for\n             Management (M/IRM/TCO), covered eight telephone services and\n             reached the following conclusions.\n\n                                                             Risk Exposure\n             Telephone Service                               High      Moderate          Low\n             Calling cards\n                                                                                          9\n             Cell phones\n                                                                              9\n             Facsimile machines\n                                                                                          9\n             Local service\n                                                                9\n             Long distance service\n                                                                9\n             Network infrastructure (PBX \xe2\x80\x93 Private\n             Branch Exchange)                                                 9\n             Pagers\n                                                                                          9\n             Telephone directory\n                                                                                          9\n             Based on these assessments, we suggest that the Office of Information\n             Resources Management focus its efforts on mitigating the higher risks\n             associated with the areas identified above, i.e., the local and long distance\n             telephone services (see page 16).\n\n             In addition, we are making the following suggestions, which address\n             issues that cut across several or all of the areas that we assessed, regardless\n             of risk exposure:\n\n             \xe2\x80\xa2   Written procedures are useful to standardize required or desired\n                 internal control actions and to serve as guidelines for any new staff, as\n                 well as for cross-training of current staff. These should include\n                 inventory control and billing review procedures that produce a sound\n                 basis for the administrative approval (or rejection) of contractor bills.\n\n             \xe2\x80\xa2   Agency standards for the rationale (or criteria) of equipment issuance\n                 are necessary.\n\n\n\n                                                                                               14\n\x0c\xe2\x80\xa2   Accountability standards should be formalized and required of\n    employees who are issued equipment.\n\n\xe2\x80\xa2   A rationale for the Agency policy allowing telephony equipment\n    procurement by other Bureaus, whether with operating or program\n    funds and for which there is no centralized control, should be\n    reevaluated.\n\n\xe2\x80\xa2   To afford adequate backup of TCO supervision and expertise in the\n    office, one or more of the TCO staff positions should be upgraded to\n    include higher-level telephony technical skills. This upgrade should\n    be viewed as a prerequisite to implementing many of the suggestions\n    contained in this report.\n\n\xe2\x80\xa2   Budgets and expenditure tracking should be realigned to the major\n    functional telephone service areas we assessed because certain costs\n    are not easily distinguishable using the current coding system.\n\nCalling cards\n\n\xe2\x80\xa2   The need for calling cards should be revalidated with all employees\n    currently holding cards, and specific accountability should be\n    established.\n\n\xe2\x80\xa2   Procedures need to be established to ensure that departing or rotating\n    employees return telephone cards.\n\n\xe2\x80\xa2   Spare cards that have not been issued need to be secured in a locked\n    desk or container.\n\nCell phones\n\n\xe2\x80\xa2   Management needs to establish improved cost visibility for\n    determining trends, cost variances and potential impact on budget\n    requirements.\n\n\xe2\x80\xa2   Criteria and thresholds should be established for identifying calls that\n    are to be included in a regular, periodic call detail certification process\n    (see long distance below).\n\n\xe2\x80\xa2   To prevent unrestrained demand, criteria or a rationale should be\n    established as a basis for issuing a cell phone, as well as for issuing\n    cell phone accessories.\n\n\n\n                                                                                  15\n\x0cFacsimile machines\n\n\xe2\x80\xa2   Criteria should be established as the basis for issuing fax machines,\n    including a standard such as number of employees per machine. In\n    addition, use records should be maintained to determine if the need for\n    a replacement or new machine could be filled by a little-used machine\n    already in inventory .\n\n\xe2\x80\xa2   Service and repair history records should be maintained to help effect\n    control over repairs and serve as a basis for replacements.\n\nLocal service\n\n\xe2\x80\xa2   A comprehensive analysis needs to be performed in order to identify\n    with each provider the optimal number of leased dedicated trunk lines\n    and overall optimum utilization, and to remove excess capacity (lines).\n\n\xe2\x80\xa2   A monthly (electronic) review needs to be implemented that compares\n    minutes billed for all calls to actual minutes independently determined,\n    and that compares all those call rates billed to contracted rates.\n\nLong distance\n\n\xe2\x80\xa2   A detailed analysis (electronic) of all calls made since inception of\n    Federal Telecommunications Service (FTS) 2001 (and as revised)\n    contracts to date should be performed to determine rates and lengths of\n    all calls as billed versus the rates as per contracts and lengths as per\n    monitoring software. Subject to allowability per contract, requests for\n    any reimbursements from vendors per these analyses should be\n    submitted.\n\n\xe2\x80\xa2   A procedure to assure that TCO obtains on a timely basis the changes\n    that are made to the FTS 2001 rates should be implemented. Then, as\n    these rate changes are obtained, they need to be programmed into the\n    PBX so that the most economical rate between Sprint and AT&T is\n    used on a country-by-country basis for the given effective rate periods\n    under the FTS 2001 contracts.\n\n\xe2\x80\xa2   A monthly (electronic) review comparing minutes billed for all calls to\n    actual minutes independently determined and comparing all those call\n    rates billed to contracted rates should be implemented.\n\n\xe2\x80\xa2   A regular, periodic call detail certification procedure for long distance\n    calls should be implemented.\n\n\n                                                                                16\n\x0cNetwork infrastructure (PBX)\n\n\xe2\x80\xa2   As a follow-on to the October 2002 Disaster Recovery Analysis and\n    Planning Report, the highest priority security and disaster concerns\n    need to be identified and provided for. At a minimum, fire-fighting\n    equipment, for example, CO2 bottle(s), should be immediately placed\n    in the PBX rooms.\n\n\xe2\x80\xa2   TCO should consider having performed a feasibility study covering all\n    aspects for the replacement of the PBX (and replacement telephones as\n    needed).      This study should also identify future budgeting\n    requirements for this potentially extraordinary investment.\n\nPagers\n\n\xe2\x80\xa2   An immediate follow-up should be initiated of TCO\xe2\x80\x99s recent attempt\n    to validate pager assignments, as well as to determine the continued\n    need for pagers and to establish accountability on the part of\n    employees using them. This should also help to establish a new, valid\n    inventory.\n\n\xe2\x80\xa2   Any excess pagers need to be returned to the supplier and termination\n    of lease billings needs to be assured.\n\nTelephone directory\n\n\xe2\x80\xa2   Databases should be linked to enable more efficient automatic updates,\n    which in turn would provide improved accuracy.\n                           * * * * * * * * * * *\n\n\nIn response to our draft report containing the above suggestions, the\nTelecommunications and Computer Operations Division (Office) of the\nOffice of Information Resources Management noted that some changes\nhad been contemplated during the period of the risk assessment. The\nOffice also asserted that, as a result of that process and our suggestions,\nsome changes have already been implemented and additional changes are\nplanned. For example:\n\n\xe2\x80\xa2   After identifying that USAID/Washington had been significantly\n    overcharged for international calls, the Office obtained an offer of\n    reimbursement from the vendor. In addition, the Office plans on\n    directing USAID/Washington staff to better utilize government and\n    other currently available \xe2\x80\x9ctoll free\xe2\x80\x9d links and, thereby, reduce further\n    long distance costs.\n\n\n                                                                               17\n\x0c\xe2\x80\xa2   After completing a comprehensive utilization analysis, the Office is\n    significantly consolidating and reducing its number of dedicated trunk\n    lines, thereby reducing its local phone service costs. In addition, the\n    Office plans to further reduce these costs by switching to lower cost\n    local phone service vendors, followed by another reduction in trunk\n    lines.\n\n\xe2\x80\xa2   For the other major telephone service areas that we concluded were\n    not at high risk as to economy and efficiency, the Office\xe2\x80\x99s plans\n    include\n\n    1. installation of a system that will provide some emergency backup\n       service to the PBX and enable the Office to better evaluate the\n       potential for its eventual transition from the current PBX system;\n\n    2. improved budgeting visibility, issuance criteria, and inventory\n       control procedures for cell phones and fax machines;\n\n    3. improved inventory and security procedures over long distance\n       calling cards; and\n\n    4. new PC software that will enable receipt and review of faxes on\n       the PC, thereby reducing the use of and need for fax machines in\n       the Ronald Reagan Building.\n\n\n\n\n                                                                              18\n\x0c                                                                                    Appendix I\n\n\nScope and     Scope\nMethodology\n              The Office of Inspector General, Information Technology and Special\n              Audits Division, conducted a risk assessment, especially in regard to\n              economy and efficiency, of major telephone services managed and under\n              control of the Telecommunications and Computer Operations Division of\n              the Office of Information Resources Management, Bureau for\n              Management (M/IRM/TCO). As such, it did not cover USAID\xe2\x80\x99s overseas\n              telephony-related operations, nor the other information technology\n              activities for which the Telecommunications and Computer Operations\n              Division is responsible: local area networks, electronic mail services,\n              internet connectivity, wide area network, computer operations, etc.\n\n              This risk assessment was not an audit. The risk assessment covered\n              operations principally for fiscal year 2002 and operating expenditures of\n              about $2.7 million. Costs related to USAID\xe2\x80\x99s human resources were not\n              reviewed; thus, any mention of costs throughout this report does not\n              include them. The risk assessment fieldwork was conducted at USAID\n              headquarters in Washington, D.C., from November 25, 2002 to March 31,\n              2003.\n\n              Our risk assessments of the Telecommunications and Computer\n              Operations Division\xe2\x80\x99s major telephone services have the following\n              limitations in their application:\n\n              \xe2\x80\xa2   First, we assessed risk at the major service level only, not at the\n                  Division or Office level.\n\n              \xe2\x80\xa2   Second, we assessed risk only. Our assessments were not sufficient to\n                  make definitive determinations of the effectiveness of internal controls\n                  for major services. Consequently, we did not generally (a) assess the\n                  adequacy of internal control design, (b) determine if controls were\n                  properly implemented, and (c) determine if transactions were properly\n                  documented. If we were able to make these types of determinations\n                  within the scope of our work, we reported on them accordingly as part\n                  of our risk exposure assessments.\n\n              \xe2\x80\xa2   Third, higher risk exposure assessments are not definitive indicators\n                  that program objectives were not being achieved or that irregularities\n                  were occurring. A higher risk exposure simply indicates that the\n                  particular service is more vulnerable to such events.\n\n              \xe2\x80\xa2   Fourth, risk exposure assessments, in isolation, are not an indicator of\n                  management capability due to the fact that risk assessments consider\n\n\n\n                                                                                             19\n\x0c    both internal and external factors, some of which are outside the span\n    of management control.\n\n\xe2\x80\xa2   Fifth, comparison of risk exposure assessments between organizational\n    units is of limited usefulness due to the fact that risk assessments\n    consider both internal and external factors, some being outside the\n    span of management control.\n\nMethodology\n\nWe interviewed officials as well as reviewed related documentation of\nmajor telephone services performed by the Telecommunications and\nComputer Operations Division. These activities covered background\ninformation, organization, management, budget, relevant laws and\nregulations, staffing responsibilities, prior reviews, internal controls, and\nrisks (i.e., vulnerabilities). Our review of the Telecommunications and\nComputer Operations Division\xe2\x80\x99s documentation was limited and\njudgmental in nature and conducted principally to confirm oral attestations\nof management.\n\nWe identified the Telecommunications and Computer Operations\nDivision\xe2\x80\x99s major telephone services using the input from the Manager of\nthe Voice Telecommunications Group and based primarily on the\nsignificance of each major telephone service. We determined risk\nexposure for all major telephone and related services, e.g., the likelihood\nof significant abuse, illegal acts, and/or misuse of resources; failure to\nachieve program objectives; and noncompliance with laws, regulations\nand management policies as it primarily affects economy and efficiency.\n\nWe assessed overall risk as high, moderate, or low. A higher risk\nexposure simply indicates that the particular telephone service was more\nvulnerable to its program objectives not being achieved or that\nirregularities were occurring.\n\nWe considered seven risk assessment factors as they primarily affect\neconomy and efficiency. The specific risk assessment factors were chosen\nin order to provide us a sufficient basis (although not necessarily a\ncomprehensive one) to make our professional judgments of risk. Our risk\nassessment factors were as follows.\n\n(1) Costs\xe2\x80\x94Total and unit annual costs (fiscal year 2002) and known\n    future extraordinary investment costs.\n\n(2) Costs transparency\xe2\x80\x94The ready availability to management of data to\n    determine both total and unit costs of the service.\n\n\n                                                                                20\n\x0c(3) Inherent complexity\xe2\x80\x94Complexity based on technical issues and\n    number of transactions or items requiring management action.\n\n(4) Internal controls\xe2\x80\x94Known aspects of documented internal control\n    procedures, including billing reviews, inventory, procuring, staffing,\n    and acknowledged weaknesses.\n\n(5) Monitoring\xe2\x80\x94Reporting requirements to more senior management and\n    other oversight mechanisms.\n\n(6) Planning\xe2\x80\x94Planning for or assessment of needs, including future\n    technology investment requirements.\n\n(7) Prior reviews\xe2\x80\x94Prior reviews of the service from external sources,\n    internal sources, required annual internal control assessments, or\n    reported cases of abuse or fraud.\n\nAs part of the assessment methodology, we identified, understood, and\ndocumented (only as necessary) relevant internal controls, and we\ndetermined what was already known about the effectiveness of those\ncontrols. Our resulting assessment of risk was based on professional\njudgment assessing the above varied risk assessment factors.\nConsequently, we did not employ an overall materiality threshold for\nassessing risk because the combination of these varied risk factors cannot\nbe readily reduced collectively to one strict overall numerical scoring\nsystem or materiality threshold.\n\n\n\n\n                                                                             21\n\x0c                                                                                 Appendix II\n\nManagement\nComments   MEMORANDUM\n\n          TO:     IG/A/ITSA, Melinda G. Dempsey\n\n          FROM:         M/IRM/TCO, Gretchen Larrimer\n\n          DATE:         July 3, 2003\n\n          SUBJECT: M/IRM/TCO Comments on IG\xe2\x80\x99s Risk Assessment of\n          USAID/Washington\xe2\x80\x99s Management of Telephone Services (Report No. A-000-03-\n          00X-S)\n\n\n          M/IRM appreciates the interest, thoughtfulness and courtesy shown by IG staff\n          during the risk assessment of USAID/W\xe2\x80\x99s management of telephone services.\n\n          As you know, some changes were being contemplated during the period of the risk\n          assessment. As a result of that process and the suggestions in IG\xe2\x80\x99s Risk\n          Assessment, some changes have already been implemented and some others are\n          planned. Accordingly, IRM/TCO has the following comments, grouped by\n          functional area.\n\n          Long Distance Services\n\n          IRM/TCO will tighten security procedures for unused long distance calling cards.\n          In the future they will be kept in a locked desk or container. The Personnel Locator\n          System (PLS) is now being used as a means to update the inventory of calling cards.\n          This allows IRM/TCO to readily identify and cancel calling cards for staff who are\n          no longer assigned to USAID/W, because the PLS contains organizational\n          assignments for USAID staff. Additionally, the PLS is routinely modified by the\n          telephone group when an employee leaves USAID or goes overseas, so they can see\n          if an employee\xe2\x80\x99s card needs to be canceled when the employee leaves. The\n          telephone group routinely checks for calling card impact when notified of an\n          employee\xe2\x80\x99s departure from USAID/W.\n\n          During the period of the risk assessment, IRM/TCO had reviewed charges of both of\n          our commercial long distance vendors, AT&T and Sprint. IRM/TCO had tentatively\n          concluded that USAID was being overcharged for international calls by a large\n          amount by AT&T and by a much smaller amount by Sprint. Discussions with\n          AT&T have resulted in AT&T\xe2\x80\x99s identification of the cause of the erroneous billing,\n          implementation of corrective action, and an offer of reimbursement. Continued\n          discussions with Sprint eventually resulted in a satisfactory explanation of the\n          discrepancy. IRM has asked both vendors to provide their rates for the next year of\n\n\n                                                                                          22\n\x0ctheir contract and to provide detailed explanations on how international call charges\nwill be calculated.\n\nHowever, we believe that even more savings can result if USAID/W\xe2\x80\x99s calls to\noverseas missions can be made over dedicated government links, instead of using\nany commercial long distance vendor. USAID can benefit from cost savings by\nreducing international phone costs through enabling and encouraging the use of\n\xe2\x80\x9cfree\xe2\x80\x9d toll bypass methods. USAID has two such methods available: the Voice\nOver Internet Protocol (VOIP) links provided by IRM\xe2\x80\x99s telecommunications\nupgrade project and, to a lesser extent, the Diplomatic Telecommunication Service\xe2\x80\x99s\nInternational Voice Gateway (IVG).\n\nDuring the last two years, IRM has installed WARP/VOIP links to over 50 missions,\nenabling most calls to these missions to be made toll free. Most missions use this\ncapability heavily, but traffic analysis shows that less than 5 percent of international\ncalls from USAID/W currently use these means. Consequently, IRM/TCO will\nfocus on finding ways to change the calling patterns of USAID/W staff as a\npotentially rewarding way of cutting long distance costs.\n\nCell Phones and Pagers\n\nIRM/TCO will establish a new budget line item within the IRM budget system\nbeginning in FY 2004 to be called Wireless Communications. This line item will\nbreak out cell phone and pager costs from other voice communications costs, thus\ngiving increased visibility to this category.\n\nIRM/TCO agrees that criteria for issuance of wireless devices/services should be\nreviewed and documented. In addition, policy for funding of cell phones and cell\nphone service will be documented.\n\nIRM/TCO will formally document inventory control procedures for cell phones and\npagers and train staff in the new procedures.\n\nIRM/TCO will update its inventory of pagers and validate current requirements.\nUnneeded pagers will be returned to the vendor. IRM will keep unused pagers in a\nlocked desk or cabinet.\n\nFaxes\n\nIRM/TCO plans to provide every PC user with access to USAID/W\xe2\x80\x99s voicemail\nsystem via desktop software called Message Manager. Once the software is\ninstalled, a fax can be sent to employee\xe2\x80\x98s telephones in RRB, and then stored in their\nvoicemail boxes. Every person will then be able to receive and review faxes solely\nfrom their PC without the need to have them printed. (If a hard copy is needed, the\nrecorded fax can be sent to a printer or fax machine.) We envision that this will\n\n\n                                                                                    23\n\x0cdrastically reduce wear and tear on fax machines, increase convenience for receiving\nfax messages, and provide the capability of receiving faxes privately. The net effect\nshould be to reduce the need for new fax machines. Once this installation is\ncompleted, within this calendar year, and customers have a chance to become\naccustomed to the new capability, we will assess the need to review standards for\nissuance of fax machines.\n\nLocal Telephone Service\n\nIRM/TCO has now completed a comprehensive analysis of the number of trunk\nlines needed for local phone service based on five months of traffic. As a result of\nthis review, an order has been submitted to Verizon to consolidate all five of the\ncurrent trunk groups with Verizon into a single trunk group that can support two-\nway traffic and reduce the number of T-1 circuits from 13 to 8.\n\nIn addition to reviewing the number of trunks needed for local phone service,\nIRM/TCO has investigated other possibilities for reducing local phone service costs.\nConsequently, IRM is also planning to switch local phone service from Verizon to\nCavalier and GTI (using GSA\xe2\x80\x99s WACS contract) since the cost is considerably\nlower than Verizon\xe2\x80\x99s tariff rates. According to the latest Cavalier proposal,\noutbound calls from RRB to Cavalier will not be charged separately, but rather the\ncost of the calls will be included in the set cost for the T-1 circuits. Consequently,\nthere will be no need to compare the number of calls in a Cavalier bill to the data\ngenerated by our call detail reporting system. FYI, after Cavalier service has been\nshown to be reliable, IRM/TCO plans to further reduce the number of Verizon T-1s\nto further reduce local service costs.\n\nDisaster Recovery\n\nThere is a fire extinguisher just ten paces outside of the PBX room, and the PBX\nstaff are aware of its location. Smoke detectors in the floor and ceiling of the PBX\nroom were checked in June 2003.\n\nIRM/TCO is planning to install a LAN based IP phone system at the Tech Hub\nwithin the next year. This system will provide some emergency backup telephone\nservice if the RRB PBX were to fail, and thus provide some disaster recovery\nfunctionality. It will also enable USAID to better evaluate the potential of an\neventual transition at the RRB from a PBX phone system to a LAN based IP phone\nsystem.\n\nTelephone Directory\n\nIRM/TCO is currently changing the way it receives telephone directory data.\nIRM/SDM is replacing the Personnel Locator System with a new system called the\nEmployee Information Management System (EIMS). In addition, IRM/TCO is\n\n\n                                                                                  24\n\x0cplanning to integrate data from the e-mail Global Address List (GAL) into the\ntelephone directory.\n\n\n\n\n                                                                          25\n\x0c'